How to Check If Your Email Has Been Hacked

This site may earn affiliate commissions from the links on this page. Terms of use.

Ever wonder if your online accounts have been compromised? Two security researchers at DVLabs have launched a Web site that lets you check instantly, and for free.

At PwnedList.com, you can enter your email address or social-networking username, and the site checks it against a vault of compromised data dumps. Currently it has nearly 5 million entries, 70 percent of which are email addresses and 30 percent usernames.

The site doesn't store your data, though you can opt in to receive a tweet from them if it shows up later. If you don't trust itand let's face it, if you're on the site you're probably naturally skepticalthe site also accepts SHA-512 hashed entries, which you can create at Online-convert.com or Shell-tools.net.

The check isn't completely thorough of course, but typically after a database has been compromised, the culprits will post personal information at sites like Pastebin or through torrents for the cyberworld to harass. For example, today my colleague Damon Poeter reported that some Occupy Oakland activists published the names, addresses, and phone numbers of a police officer thought to have wounded Iraq War veteran Scott Olsen last week, but the information was incorrect. The week before, hacktivists Anonymous publicized a long list of people who visited an online child pornography site.

"I was trying to harvest as much data as I could, to see how many passwords I could possibly find, and it just happened to be that within two hours, I found about 30,000 usernames and passwords," co-creator Alen Puzic told Brian Krebs, a freelance security journalist. "That kind of got me thinking that I could do this every day, and if I could find over one million then maybe I could create a site that would help the everyday user find if they were compromised."

Puzic created the site with DVLabs colleague Jasiel Spelman.

If your email or username does appear on Pwnedlist, the first thing you should do is keep calm and change your password. In fact, you should be doing that on a regular basis.

Sara Yin is a junior analyst in the Software, Internet, and Networking group at PCmag.com, pouring most of her energy into app testing and security matters at Security Watch with Neil Rubenking. She lies awake at night pondering the state of mobile security (half-true).
Prior to joining PCMag.com, Sara spent five years reporting for publications in New York City (Huffington Post), Hong Kong (South China Morning Post), and Singapore (Campaign Asia, Men's Health).
Follow her on Twitter at @SecurityWatch and @sarapyin, or contact her the...
More »